Understanding /var/account/pacct OR /var/account/acct – Acct File Format

Author: Vivek Gite Last updated: June 27, 2008 1 comment

Q. Can you explain /var/account/pacct or /var/log/account/pacct file under Linux / UNIX operating systems?

A. A acct file (/var/account/acct or /var/account/pacct) format is common in UNIX / Linux / BSD operating systems. The kernel will start the process accounting and stores in /var/account/pacct or /var/log/account/pacct file which the system wide unix process accounting or unix accounting file for UNIX / Linux like operating systems. The location and name of the file depends upon UNIX / Linux variant:

FreeBSD / OpenBSD default accounting file: /var/account/acct
Red Hat / RHEL / CentOS / Fedora Linux : /var/account/pacct
Debian / Ubuntu Linux : /var/log/account/pacct
Sun Solaris UNIX default accounting file : /var/adm/pacct

accton command

The accton utility is used for switching system accounting on or off. If called with the argument acctfile, system accounting is enabled. The acctfile specified must exist prior to starting system accounting, or accton will return an error. You can run accton as follows:
# accton /path/to/file # accton /var/account/acct
Under Red Hat / CentOS Linux, you can enter following command to start accounting service:
# chkconfig psacct on # /etc/init.d/psacct
Under Ubuntu / Debian Linux, you need to enter following command to start accounting service:
# update-rc.d acct defaults /etc/init.d/acct start

acct file format

The kernel maintains the following acct information structure for all processes. If a process terminates, and accounting is enabled, the kernel calls the acct(2) function call to prepare and append the record to the accounting file.

#define AC_COMM_LEN 16
 
     /*
      * Accounting structure version 2 (current).
      * The first byte is always zero.
      * Time units are microseconds.
      */
 
     struct acctv2 {
             uint8_t  ac_zero;               /* zero identifies new version */
             uint8_t  ac_version;            /* record version number */
             uint16_t ac_len;                /* record length */
 
             char      ac_comm[AC_COMM_LEN]; /* command name */
             float     ac_utime;             /* user time */
             float     ac_stime;             /* system time */
             float     ac_etime;             /* elapsed time */
             time_t    ac_btime;             /* starting time */
             uid_t     ac_uid;               /* user id */
             gid_t     ac_gid;               /* group id */
             float     ac_mem;               /* average memory usage */
             float     ac_io;                /* count of IO blocks */
             __dev_t   ac_tty;               /* controlling tty */
 
             uint16_t ac_len2;               /* record length */
             union {
                     __dev_t   ac_align;     /* force v1 compatible alignment */
 
     #define AFORK   0x01                    /* forked but not exec'ed */
     /* ASU is no longer supported */
     #define ASU     0x02                    /* used super-user permissions */
     #define ACOMPAT 0x04                    /* used compatibility mode */
     #define ACORE   0x08                    /* dumped core */
     #define AXSIG   0x10                    /* killed by a signal */
     #define ANVER   0x20                    /* new record version */
 
                     uint8_t  ac_flag;       /* accounting flags */
             } ac_trailer;
 
     #define ac_flagx ac_trailer.ac_flag
     };

If a terminated process was created by an execve(2), the name of the executed file (at most ten characters of it) is saved in the field ac_comm and its status is saved by setting one of more of the following flags in ac_flag: AFORK, ACOMPAT, ACORE and ASIG. ASU is no longer supported. ANVER is always set in the above structure.

How do I use acct file?

You need to use acct file using lastcomm or sa command. Please see following article for practial usage of acct file:

How to keep a detailed audit trail of what’s being done on your Linux systems

Recommended readings:

Refer to man pages and acct.h header file:
man 5 acct man 1 lastcomm man 2 acct man 2 execve man 8 sa man 1 accton vi /usr/include/linux/acct.h vi /usr/include/sys/acct.h

🐧 If you liked this page, please support my work on Patreon or with a donation.
🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source/DevOps topics:

RSS feed or Weekly email newsletter
Share on Twitter • Facebook • 1 comment... add one ↓

UP NEXT

Category	List of Unix and Linux commands
File Management	cat
Firewall	Alpine Awall • CentOS 8 • OpenSUSE • RHEL 8 • Ubuntu 16.04 • Ubuntu 18.04 • Ubuntu 20.04
Network Utilities	dig • host • ip • nmap
OpenVPN	CentOS 7 • CentOS 8 • Debian 10 • Debian 8/9 • Ubuntu 18.04 • Ubuntu 20.04
Package Manager	apk • apt
Processes Management	bg • chroot • cron • disown • fg • jobs • killall • kill • pidof • pstree • pwdx • time
Searching	grep • whereis • which
User Information	groups • id • lastcomm • last • lid/libuser-lid • logname • members • users • whoami • who • w
WireGuard VPN	Alpine • CentOS 8 • Debian 10 • Firewall • Ubuntu 20.04